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Abstract. This paper discusses how hot carrier in- 
jection (HCI) can be exploited to create a trojan that 
will cause hardware failures. The trojan is produced 
not via additional logic circuitry but by controlled 
scenarios that maximize and accelerate the HCI 
effect in transistors. These scenarios range from 
manipulating the manufacturing process to varying 
the internal voltage distribution. This new type of 
trojan is difficult to test due to its gradual hardware 
degradation mechanism. This paper describes the 
HCI effect, detection techniques and discusses the 
possibility for maliciously induced HCI trojans. 

Introduction 

Due to the capital costs of building and main- 
taining fabrication facilities, the number of fabs is 
shrinking. Hence, there has been a major shift in 
control over the fabrication process for integrated 
circuits, IC. More and more vendors outsource the 
fabrication process to off shore fabrication facili- 
ties lUl. Using such facilities makes the integrated 
circuits vulnerable to malicious alterations. These 
alterations are more commonly known as hardware 
trojans and are usually created by insertion of addi- 
tional logic circuitry [13, 13, S, [H, 0. The 
goal of these trojans ranges from functional changes 
of the circuit to a complete system failure. 

A new type of trojan that avoids the use of addi- 
tional logic circuitry can still be induced by exploit- 
ing the principles of semiconductor physics. One 
such trojan maximizes and accelerates the effects 
of Hot Carrier Injection (HCI). HCI is a mechanism 
that degrades the physical characteristic of a tran- 
sistor, resulting in slower switching times or break 
down. The HCI is just one of the wearing mecha- 
nisms that are responsible for transistor degradation. 
An HCI trojan can be manifested through process 



variations during fabrication or changes in voltage 
distribution during operation. 

The scaling of process technology has increased 
the effect of HCI on CMOS degradation. As a result, 
the operational life time of CMOS devices has been 
decreasing. Integrated circuit manufacturers have 
been addressing this problem with various process 
and design techniques. Fabs test for HCI during 
initial process characterization, but generally do 
not test during wafer production. However, due to 
the outsourcing shift in manufacturing, safeguards 
against HCI become vulnerable. This can result in 
undetected malicious HCI trojan. 

This paper is organized as follows: In section 
two, HCI mechanism is described. In section three, 
detection techniques for HCI is discussed. Finally, 
in section four, different methods are explored for 
introducing HCI trojans. 

HCI Description 

The term "hot carrier injection" refers to carriers 
that have gained high enough kinetic energy due 
to intense electric fields and are injected into the 
gate oxide of the CMOS device. The degradation 
associated with HCI refers to the physical break- 
down and characteristic distortion of the device. The 
operational conditions and the toggling frequency of 
the CMOS transistor are direct contributors to the 
HCI rate [H. 

There are four known mechanism for Hot Carrier 
Injection, that describe the conditions for carriers 
to enter the gate oxide: SHE, CHE, DAHC, SSHE. 
The effects of HCI are more prominent in NMOS 
devices compared to the PMOS devices. It requires 
3.3eV for electrons to overcome the surface energy 
barrier at the Si-Si02 interface and get injected into 
the oxide, compared to A.GeV for holes. This paper 



will concentrate on three HCI effects in NMOS 
devices. 
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Fig. 1. Silicon Lattice interface at the gate oxide 

The most physically destructive HCI mechanism 
is Drain Avalanche Hot Carrier (DAHC) injection. 
This type of carrier injection occurs when the drain 
voltage, Vd, is much greater then the gate voltage, 
Vg (worse case Vd = 2Vg). Such conditions create 
a very high electric field near the drain region. 
This high electric field accelerates the carriers into 
the drain depletion region. The high rate of ac- 
celeration propels the carriers to collide with Si 
lattice atoms and through impact ionization, create 
displaced electron-hole pairs, shown by the yellow 
region in Figure [2j The majority of the generated 
holes are usually absorbed by the substrate and thus 
increases the substrate current, Is^b. Some of the 
generated electrons proceed to the drain and result 
in increased drain current. Id. However, some of 
the electron - hole pairs gain enough energy to 
breach the Si-Si02 interface energy barrier, 3.3eV 
for electrons and A.QeV for holes. 

Once, the carriers have passed the energy barrier 
of the Si-Si02, they can either be trapped at the 
Si-Si02 interface, within the oxide itself or become 
gate current, Ig. After the bulk silicon has been 
cleaved and the exposed silicon bonds have been 
passivated, during the manufacturing process, Si-H 
bonds are formed, shown in Figure[T| Carriers with 
enough energy, > 0.3eV, can break these weak Si- 
H bonds and get trapped, forming a space charge. 
Over time, as more and more carriers are trapped, 
there is an increase in threshold voltage, Vt, and 
a change in conveyed conductance, Qm for NMOS 
transistors. These changes in device characteristics 



result in decrease performance and eventual device 
failure. 
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Fig. 2. HCI effects: SHE {\Vsuh\ » 0), CHE (Vd = Vg), DAHC 

(Vd = 2Vg) 

Substrate hot electron, SHE, injection occurs 
when the substrate voltage is different than zero 
volts, \Vsub\ >> 0. Under this condition, an elec- 
trical field from the substrate drives the carriers 
in the channel upward towards the gate, as shown 
in Figure [2j As the carriers move closer to the 
substrate-oxide interface, they are influenced by 
high electrical field in the surface depletion region, 
which accelerates the carriers and raises their kinetic 
energy. If the carriers reach high enough energy, 
greater then 3.3eV, they will breach the energy 
barrier of the Si-Si02 interface and behave exactly 
as the carriers in the DAHC scenario. 

Channel hot electron, CHE, injection occurs when 
the drain voltage, Vd, is equal to the gate voltage, 
Vg, Vd = Vg, and both voltages are higher then the 
source voltage, Vg. Under this condition, the electric 
field may propel some of the carriers into the gate 
oxide before they reach the drain depletion region, 
as shown in Figure |2j The behavior is exactly the 
same as in DAHC and SHE scenarios. CHE and 
SHE do not physically damage the Si lattice atoms 
during its injection mechanisms, while DAHC is 
very destructive to the drain depletion region. Figure 
|3] shows the DAHC and CHE effects on a CMOS 
inverter. 

The static (DC) conditions for drain the, Vd, and 
substrate, V^ub, voltages leading to the DAHC and 
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Fig. 3. Dynamic HCI effects on a cmos inverter 



the SHE mechanisms are minimized through the 
transistor design process. However, the CHE and 
DAHC injection mechanisms do occur during the 
normal dynamic (AC) transistor switching operation 
as shown in Figure |5j Thus, switching frequency 
as well as voltage conditions determine the rate 
of HCI in a transistor. The normal design and 
manufacturing process are optimized for to produce 
a transistor operational lifetime of greater then 10 
years. 

To combat the problem of gate oxide degrada- 
tion, some manufacturing processes, > 40nm, use 
nitrous oxide, N2O, or nitric oxide, NO, during 
the oxidation process [|9l, ITOl. By optimizing con- 
centration of nitrate of the interface layer, the trap 
density is reduced.For a given process, there is an 
acceptable range of nitrate that can be used that 
decreases the HCI effects and avoids changing the 
performance of the CMOS device. Concentrations 
of nitrogen above the acceptable range will lead to 
gate oxide breakdown. In summary, the HCI rate is 
optimized by manufacturing process and transistor 
design. 



HCI Detection 

There are detection techniques in place to test the 
influence of HCI in an integrated circuit, IC. HCI 
has many different symptoms: change in substrate 
current, Isub, change in the drain current, J^, change 
in the gate current, Ig, change in the threshold volt- 
age, Vt, and change in conveyed conductance, Qm- 
For a packaged circuit, some of these symptoms are 
hard to diagnose. Thus, most detection techniques 
test for known indicators {Idd, Iddq, Vt, access 
time, propagation delay, ...) that are attributed to 
HCI. 

One detection techniques is a canary mechanism 
based on delay monitoring [TH, [Ha, [[Bl, [[T4l . 
This technique employs an additional circuit that 
compares the propagated delay of a transistor or 
any number of devices to a pre-determined stored 
value. As the transistor ages, the compared values 
are adjusted. A flag is raised when the propagation 
delay of a transistor is greater then expected. This 
method assumes that the test circuit does not age, 
since it performs periodic testing and therefore not 
under heavy usage. The main drawback of such 
method of detection is inability to distinguish the 
cause of the changing propagation delay, since there 
are other phenomena that effect transistor delay. 

Ring oscillators are another method for monitor- 
ing transistor degradation. [15], [16J This technique 
can be utilized on the wafer level, in conjunction 
with a canary mechanism or an external monitoring 
probe. 

Design techniques employ device reliability and 
lifetime prediction models, that result in design pa- 
rameter guard-banding. fTTj. [HSl, [19 1 However the 
resulting guard-band can be inadequate to accom- 
modate parameter variability induced by varying 
environmental and manufacturing conditions. Other, 
design techniques, such as obfuscation [20], hide 
the design but also fail in HCI detection since HCI 
affects the transistor and not the circuit layout. Self- 
calibration design[2n. Il22l techniques can be used 
to alter the clock or supply voltage in response to 
monitored transistor degradation. 

In addition, there are wafer level ll23l and pack- 
age level reliability monitoring techniques, as well 
as parameter prognostic techniques [24J that have 
been developed to detect HCI transistor degradation. 
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Fig. 4. Package-level diagnostic test 



Prognostic measures can be applied at the system 
level to detect trends of precursors to HCI induced 
failure. Furthermore, there are fast wafer level reli- 
ability monitor techniques that have been recently 
proposed [25|. 

One packaged device level detection techniques 
varies the environmental operating conditions to de- 
tect the presence of HCI failure mechanism. Figure 
|4] demonstrates the process: 

I. Test for selected parameters to insure the test 

devices functionality, 
n. Devices are placed in an environment is set 
to -55°C and supply voltage (Vdd) is set to 
maximum or 24 hours. 

III. Ramp devices back to room temperature, 25°C. 

IV. Test for selected parameters. 

V. If the device is still functional from step V then 
repeat II, III, IV for a minimum of a 160 hours 
to a maximum of 240 hours. 
VI. Test for selected parameters and if there is a 

significant change this suggests HCI failure. 
VII. Perform unbiased bake at 250°C for 24 hours. 
VIII. Test at room temperature, if full or partial re- 
covery in the monitored parameters is achieved 
then the failure was due to the HCI effects. 



The test results show the resilience of a device to 
the HCI effect. Drawbacks to such a test technique 
are its destructive nature and the length of the test 
procedure. This test technique does not provide the 
reason (design process, manufacturing process, etc.) 
for the HCI induced failures. 

HCI Trojan 

Two ways an HCI trojan could be introduced into 
an integrated circuit (IC), are through the design 
process or the manufacturing process. The purpose 
is to maliciously modify transistors that will cause 
the IC to fail prematurely by utilizing the HCI 
effect. 

As described in Section 2, there are manufac- 
turing processes that minimize the effect of HCI. 
Without knowledge of the circuit design, a hacker 
can distort the variation of nitrate concentration to 
create a wafer with minimal HCI resilience. The 
distortion of the nitrate process will influence the 
lifetime of the device produced from that wafer. The 
annealing time or the temperature used during the 
nitrate layering process can also be used to vary the 
resilience to HCI [^■ll26]l. 

The hacker can also create "infected" transistors 



at the design level. There are several voltage con- 
ditions for a transistor that create HCI mechanisms, 
they are described in section 2. The hacker can alter 
the voltage supply to a particular transistor or an 
array of transistors to create optimal conditions for 
HCI. For example, the conditions to induce DAHC, 
(Vd = 2Vg), during static or dynamic transistor 
operation. This method is very attractive to the 
hacker, because he can target a specific area of the 
chip to accelerate the HCI effect. 
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Fig. 5. HCI effects on SRAM 

The manufacturing process variations, such as 
nitrate distortion, can be coupled with the design 
changes, such as variations in voltage distribution, 
for a cumulative HCI effect. The cumulative effect 
will drive the infected transistors to wear even 
faster. This allows the hacker to isolate the most 
critical transistors in order to produce maximum 
effect for the malicious attack with minimum circuit 
alteration. 

For a example in a case of a processor, the hacker 
can modify the cache memory module because the 
cache is heavy utilized and it is not protected by 
error correction (ECC) ll27l . 

In a six transistor SRAM cell which can be 
used in the cache, the passthrough transistor is a 
perfect candidate for infection by the hacker. The 
passthrough transistor, seen in Figure |5| experiences 
heavy stress under high frequency of access. The 
red arrow in Figure [5] shows the current flow. 
An infected passthrough transistor (PS) will wear 
much faster then the rest of the SRAM cell. After 
some time of operation, the passthrough transistor 
will have a very high threshold voltage, Vt due 
to HCI. If the gate voltage, Vg, is not sufficient 



compared to the threshold voltage, the transistor 
fails to function. At this point, the passthrough 
transistor will not let a new value be written in 
during a write operation. Such device failures can 
lead to catastrophic results. In addition, the hacker 
can apply software techniques to further accelerate 
the process by increasing the writing frequency of 
the infected cell. The gradual degradation of the 
infected HCI transistors demonstrates a malicious 
attack, similar to a time-bomb mechanism, that is 
difficult to detect. 

Conclusion 

This paper discussed the concept of a new type of 
trojan that exploits HCI effect in transistors. There 
are no detection techniques that can detect all the 
variations of the HCI trojans in CMOS devices. In 
any post-production tests the infected transistor are 
operating just as well as normal transistors with 
no discrepancy in performance. The danger lies in 
the fact that until the trojan transistor has been in 
operation for some time, the circuit appears as if 
no malicious alterations have been inserted. The 
relationship between HCI effect and switching us- 
age of a transistor, makes the trojan HCI transistors 
incredibly dangerous. There is a critical demand for 
detection techniques that can properly identify HCI 
trojans. 
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